acme-client can't fetch full chain

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

acme-client can't fetch full chain

Carlin Bingham-2
It seems Let's Encrypt have changed the address of the full chain
certificate, so it's now a 301 redirect that acme-client can't follow:

        $ doas acme-client -vv walcyrge.org
        [...]
        acme-client: http://cert.int-x3.letsencrypt.org/: full chain
        acme-client: cert.int-x3.letsencrypt.org: DNS: 104.116.134.206
        acme-client: http://cert.int-x3.letsencrypt.org/: bad HTTP: 301
        acme-client: short read: chain length

        $ nc cert.int-x3.letsencrypt.org 80
        GET / HTTP/1.1
        Host: cert.int-x3.letsencrypt.org

        HTTP/1.1 301 Moved Permanently
        Server: AkamaiGHost
        Content-Length: 0
        Location: https://cert.int-x3.letsencrypt.org/
        Cache-Control: max-age=0
        Expires: Sun, 11 Mar 2018 12:51:16 GMT
        Date: Sun, 11 Mar 2018 12:51:16 GMT
        Connection: keep-alive

My certs last renewed on January 10 with no problems, so this must have
changed since then.

This is on:

        OpenBSD 6.2 (GENERIC) #6: Wed Feb 28 20:36:37 CET 2018
            [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC

--
Carlin

Reply | Threaded
Open this post in threaded view
|

Re: acme-client can't fetch full chain

Christian Ruesch-3
I have the same problem on my server.

kern.version=OpenBSD 6.2 (GENERIC.MP) #6: Wed Feb 28 21:13:02 CET 2018
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP


Everything works fine except until the end.

acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: http://cert.int-x3.letsencrypt.org/: full chain
acme-client: cert.int-x3.letsencrypt.org: DNS: 104.68.104.217
acme-client: http://cert.int-x3.letsencrypt.org/: bad HTTP: 301
acme-client: short read: chain length
acme-client: bad exit: certproc(8158): 1
acme-client: bad exit: netproc(96742): 1

My certificate expires on March 27, 2018 and cannot be renewed.


I found this bug report:

https://github.com/kristapsdz/acme-client-portable/issues/50


-- quote --

acme-client takes its instructions from the X509 certificate, CA issuer (1.3.6.1.5.5.7.48.2), which directs to http://cert.int-x3.letsencrypt.org/. However, http://cert.int-x3.letsencrypt.org/ redirects to https://cert.int-x3.letsencrypt.org/ now:

$ curl --head "http://cert.int-x3.letsencrypt.org/"
HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://cert.int-x3.letsencrypt.org/
Cache-Control: max-age=0
Expires: Sun, 11 Mar 2018 11:55:48 GMT
Date: Sun, 11 Mar 2018 11:55:48 GMT
Connection: keep-alive